1. www.epikh.eu The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo (riccardo.rotondo@garr.it)riccardo.rotondo@garr.it Consortium GARR Joint CHAIN/EPIKH School for Application Porting to Science Gateways Beijing, 11.04.2012

2. Outline A Simple API for Grid Applications (SAGA): – The OGF (Open Grid Forum) Standard; – JSAGA: a Java implementation of SAGA; A generic Grid Engine for Science Gateways based on SAGA; – Grid Engine based on JSAGA; – EGI Portal Policy & Grid Security Traceability; Grid Engine usage example. Beijing, Asia4, 11.04.2012 2

3. A Simple API for Grid Applications (SAGA) SAGA is an API that provides the basic functionality required to build distributed applications, tools and frameworks; It is independent of the details of the underlying infrastructure (e.g., the middleware); SAGA is an OGF specification: http://www.gridforum.org/documents/GFD.90.pdf http://www.gridforum.org/documents/GFD.90.pdf Several Implementations are available: – A C++ and a Java implementation developed at the Louisiana State University / CCT and Vrije Universiteit Amsterdam (http://apidoc.saga.cct.lsu.edu );http://apidoc.saga.cct.lsu.edu – A Java implementation developed at CCIN2P3 (http://grid.in2p3.fr/jsaga/);http://grid.in2p3.fr/jsaga/ – A Python implementation based on those above. Beijing, Asia4, 11.04.2012 3

4. SAGA is made of: SAGA Core Libraries: contain the SAGA base system, the runtime and the API packages (job management, data management, etc.); SAGA Adaptors: provide access to the underlying grid infrastructure (adaptors are available for gLite, ARC, Globus, UNICORE and other middleware); SAGA defines a standard We then need an implementation! A Simple API for Grid Applications (SAGA) Beijing, Asia4, 11.04.2012 4

5. JSAGA JSAGA is a Java implementation of SAGA developed at CCIN2P3; JSAGA: – Enables uniform data and job management across different grid infrastructures/middleware; – Makes extensions easily: adaptor interfaces are designed to minimize coding effort for integrating support of new technologies/middleware; – Is OS independent: most of the provided adaptors are written in full Java and they are tested both on Windows and Linux. Beijing, Asia4, 11.04.2012 5

6. JSAGA Adaptors JSAGA supports gLite, Globus, ARC, UNICORE, etc. Beijing, Asia4, 11.04.2012 6

7. A Generic Grid Engine for Science Gateways based on JSAGA Grid Engine Users Tracking DB Science GW Interface JSAGA API Job Engine Data Engine Users Track & Monit. Science GW 1 Science GW 2 Science GW 3 Grid MWs Liferay Portlets eToken Server Beijing, Asia4, 11.04.2012 7

8. In order to strong reduce the risks to have the robot certificate compromised, the INFN CA decided to store this new certificate on board of the SafeNet eToken smart cards [6]; The AeToken smart card can support many certificates; A token PIN is prompted every time the user needs to interact with the smart card; E-TOKEN Beijing, Asia4, 11.04.2012 8

9. Users Client Applications Grid Portals / Science Gateways E-TOKEN SERVER Host based mutual authentication Beijing, Asia4, 11.04.2012 9

10. EGI Users Tracking DB The Portal, the associated Portal VO and the Portal manager are all individually and collectively responsible and accountable for all interactions with the Grid; The Portal must be capable of limiting the job submission rate; The Portal must keep audit logs for all interactions with the Grid as defined in the Traceability and Logging Policy (minimum 90 days); The Portal manager and operators must assist in security incident investigations; Where relevant, private keys associated with (proxy) certificates must not be transferred across a network, not even in encrypted form. Beijing, Asia4, 11.04.2012 10

11. Users’ Traceability in Science Gateways GRID USAGE TRACEABILITY Common NamePortal User Name as stored in LDAP IP + PortIP address and TCP port used by the requester TimestampIdentify the grid operation date/time Grid InteractionGrid Interaction Identification (Job “X” submission, file upload/download). The portal MUST classify all the grid operations allowed. This value will allow to identify both applications used and operation performed. Grid IDStore the actual GRID Interaction ID (Job ID for job submission and some other relevant information for data transfer) Robot CertificateIdentify the Robot Certificate used for the Grid Operation Two Tables: one for active Jobs and File Transfers and one for the finished ones. ID70 Common Namefpistagna IP + TCP Port193.206.208.183:8162 Timestamp2011-07-06 14:16:29 Grid Interaction1 Grid ID[wms://infn-wms- 01.ct.pi2s2.it:7443/glite_wms_wmproxy_server]-[https://infn-lb- 01.ct.pi2s2.it:9000/7rQ458xozactEEjoXMlxQg] Robot Certificate/C=IT/O=INFN/OU=Robot/L=COMETA/CN=Robot: ViralGrid Science Gateway - Roberto Barbera Virtual Organisationcometa Example of entry in the Users Tracking DB Beijing, Asia4, 11.04.2012 11

12. References A Simple API for Grid Applications (SAGA): – http://www.gridforum.org/documents/GFD.90.pdf; http://www.gridforum.org/documents/GFD.90.pdf JSAGA: – http://grid.in2p3.fr/jsaga/; http://grid.in2p3.fr/jsaga/ Other SAGA Implementations: – The C++ implementation developed at the Louisiana State University/CCT: http://apidoc.saga.cct.lsu.edu ;http://apidoc.saga.cct.lsu.edu – The Java implementation developed at the Vrije Universiteit Amsterdam: http://apidoc.saga.cct.lsu.edu/saga-java/.http://apidoc.saga.cct.lsu.edu/saga-java/ Beijing, Asia4, 11.04.2012 12

13. Hands-on Please follow the instructions on this wiki page: http://gilda.ct.infn.it/wikimain/- /wiki/Main/GridEngineStandaloneCode http://gilda.ct.infn.it/wikimain/- /wiki/Main/GridEngineStandaloneCode Beijing, Asia4, 11.04.2012 13

14. Questions? Beijing, Asia4, 11.04.2012 14